Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re: Trojan Perl Distributions

by flyingmoose (Priest)
on May 05, 2004 at 19:53 UTC ( #350903=note: print w/ replies, xml ) Need Help??


in reply to Trojan Perl Distributions

I am (especially over the last few days) begining to grow on the idea that CPAN submissions need to be peer reviewed and audited substantially, and that there needs to be formal standards on what make/install/test scripts can and can not do. This won't address the security issue of CPAN getting comprimised, but it protects from damage until the server is 'owned'.

Proposed standards:
- No module may make outside network connection without asking the user, including downloading, reporting statistics, etc
- No module may create or remove files outside it's .cpan directory for testing, etc, unless first asking the user...
- A module must not attack databases at random, etc
- (add more here)

Debian has some sort of review, acceptance/rejection, process for modules, using debconf, etc ... not the ideal model, but something to consider.

The natural progression of this is more controversial, especially in the Perl area ... but it would include assurance of test suite quality, code quality, maintainability, and a certain need for the module ...

CPAN has some great stuff on it now, but it has a lot of incomplete stuff that should not have been submitted, which just fills up the search results and causes trouble when you are looking for something useful. There are also a lot of dead/broken/abandoned modules.

I am not the one to clean it up, but it (being the greatest thing Perl has going for it), could certaintly use some improvement to harden it up a bit.


Comment on Re: Trojan Perl Distributions
Re: Re: Trojan Perl Distributions
by stvn (Monsignor) on May 05, 2004 at 20:19 UTC
    - No module may create or remove files outside it's .cpan directory for testing, etc, unless first asking the user...

    But I dont use CPAN to install my modules? I would actually rather not allow the creation of files at all without my permission. I think this is a reasonable thing to do, of course the daring could override that behavior with an environmental variable or something.

    The natural progression of this is more controversial, especially in the Perl area ... but it would include assurance of test suite quality, code quality, maintainability, and a certain need for the module ...

    That seems to the a lot of the goal of the CPAN-QA projects. I think something like this is long overdue. I was surpised by some of the test suites of some of the more popular modules out there. Just looking at Paul Johnson's CPAN code coverage stats, you see an awful lot of red boxes there.

    CPAN has some great stuff on it now, but it has a lot of incomplete stuff that should not have been submitted, which just fills up the search results and causes trouble when you are looking for something useful. There are also a lot of dead/broken/abandoned modules.

    I am not sure I would advocate the reaping of dead/broken/abandoned unregistered modules. Instead, I would instead suggest that the cpan search be improved to weight more recent modules higher than older seemingly abandoned modules.

    However, I would advocate doing this with the registered modules. There seem to be alot of modules that have been registered, but nothing has ever been done with them, they are just placeholders. I think there should be an expiration date on those, if you don't upload any code for a period of time, the namespace comes down and can be used by another.

    I am not the one to clean it up, but it (being the greatest thing Perl has going for it), could certaintly use some improvement to harden it up a bit.

    Of course, you could not clean it up all on your own. But this is the goal of the CPAN-QA project. You can always help them out (assuming your company allows that kind of stuff).

    -stvn
      I am not sure I would advocate the reaping of dead/broken/abandoned unregistered modules. Instead, I would instead suggest that the cpan search be improved to weight more recent modules higher than older seemingly abandoned modules.
      Very much agreed.

      You can always help them out (assuming your company allows that kind of stuff).

      Off-company time is at a premium, and on-company time is a no. So unfortunately I just get to throw ideas out there. Maybe someday :)

      How would you know that a module is abandoned? I have stuff on CPAN I may never update because it does its job exactly as desired and there are no known bugs. Should it be considered abandoned just because it hasn't needed updates?

        I would think the definition of abandoned would have to be that either the author is not longer contactable (after all available methods have been exhausted), or if the author themself declares it abandonded.

        Ideally though abandoned modules would not be removed but instead put up for adoption.

        -stvn
      Very little actually gets registered. You have to be aware of the process and request the namespace. Then somebody has to notice it, care enough to do something about it, and then it seems only certain types of things which can be pigeonholed into the classical taxonomy get registered. Why then should one volunteer's work be slaughtered at some future date because another volunteer never got around to sanctifying it?

      --
      I'm not belgian but I play one on TV.

        Very little actually gets registered....

        Yes, I am going through all this right now. I am trying to register one of my modules (Tree::Simple), the discussion seems slow and not many people seem interested in talking about it. I have recieved some comments that the name is not so good (which I agree with, but plain old "Tree" is already taken), but that is about all.

        Why then should one volunteer's work be slaughtered at some future date because another volunteer never got around to sanctifying it?

        I am not sure what you mean here? My problem is with the registered modules which seem to be either abandoned or just never got updated past 0.01. The best example of this I can find right now is Date::Time. It has not been updated from version 0.01, which was uploaded on March 2, 2000. The description itself says this:

        This is just some suggestions, as nothing is implemented yet. I'm open to critisism. Anyway I don't know if the original name will fit this module with all my plans....
        A code example then follows, but when I look at the source about all it does is declare two packages; Date::Time::UnixTime - which is totally empty, and Date::Time - which only had a 'new' method which does nothing but bless an empty hash. See for yourself here.

        It actually seems as if this author has moved on completely, leaving approx. 3 registered and partially finished modules.

        • Date::Time (described above)
        • DBIx::CGITables - which the author had this to say about in his POD
          This module is under development - and this version is not tested very well. The documentation might not be completely in sync with the latest changes, and the documentation is not optimized for easy understanding at the moment. Sorry.
        • DBIx::Copy - which says this in the BUGS section of the POD
          Except for all the "buts" and "ifs" and missing features above - none yet - but this module is very poorly tested!
        Now clearly these are exceptions, but they are clearly serving no use but to pollute the CPAN. It is these modules I think should be reaped (assuming the author either cannot be contacted or has agreed and declared then abandoned).

        -stvn
Re: Re: Trojan Perl Distributions
by belg4mit (Prior) on May 06, 2004 at 20:46 UTC
    >dead/broken/abandoned modules
    And how do you propose to do that? What if the code "Works as Advertised"? There'd be no reason to "maintain" it. these things can also serve as inspiration for others, or a base for continued development. In fact, it's not unpossible to become co-developer of such a module and modernize/complete it. Hijacking it is, unfortunately, far more difficult than necessary.

    --
    I'm not belgian but I play one on TV.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://350903]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (4)
As of 2014-09-23 01:25 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (210 votes), past polls